October 1st, 2014 Brian Herzog
This weekend on Twitter, @itsokayihaveabook linked to a great article on the current thinking for choosing a secure password. I don't keep up with this stuff all the time, but every so often I will check in to see what the developments are. If you only read one password security article this year, this is a good candidate.
I liked this one because it wasn't just preachy-talky on why good passwords are important - he explains how password hacking works, and gives advice based on that to create better passwords.
Some things not to do:
- don't use words: password guessing software crunches through multiple dictionaries at unbelievable speeds, so even nonsensical word combinations will eventually be guessed
- don't use personally-identifiable information: many aspects of our lives are online, and hackers will use everything they know about us when guessing passwords - so don't use addresses, phone numbers, birthdates, schools, mascots, relatives' names, etc
- don't be common: there's lots of standard passwords (like pa$$w0rd, temp1234, i<3book$, etc) that are incorporated into password-guessing - even though it looks tricky to the eye, if other people are using it, chances are the hackers will try it
- don't reuse passwords: with corporate-level security breaches, even a good password might be compromised through no fault of your own. But if you use the same good password for all your accounts, once the hackers get it from Home Depot or Target or where ever, then it's much easier for them to get into your PayPal and Amazon and bank accounts
So here's what he feels you can do - the "Schneier scheme":
So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like "This little piggy went to market" might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary. Of course, don't use this one, because I've written about it. Choose your own sentence -- something personal.
The entire article is worth reading. But his bottom-line takeaway is kind of scary: "Pretty much anything that can be remembered can be cracked."
I'm going to start recommending this technique when helping patrons set up email accounts. Thanks Jenny!
Update 10/3/14:
A reader sent me a link to another article, Why you don't need long, complex passwords. I sort of referenced the gist above, but it does a much better job of spelling out another major vulnerability. Thanks R. E.!
The bottom line of all of this seems to be that living is inherently dangerous, so live well and don't worry too much about it.
Posted under Uncategorized | Comments Off on Creating Better Passwords By Knowing How They’re Cracked
February 26th, 2009 Brian Herzog
In December, I had a series of posts concerning Overdrive's mp3 audiobooks. At the time, they were brand-new to my library, and I hadn't had a chance to experiment with them. Now I have.
Since Overdrive was previously so top-heavy with the DRM, I was curious just how "mp3" their mp3 files would be - would they be totally open like mp3 files should be, or would they be pseudo-mp3s, still with some kind of DRM wrapper or innards?
I never feel like I really understand something until I'm able to take it apart and put it back together to see where the flaws are, so here are the results of my experimenting:
During the checkout process (which still requires five clicks to accomplish after finding a book and entering my library card number), Overdrive hits you with their mp3 terms of service. Items 3 and 4 below are what really come into play here:
The title(s) and file(s) in MP3 format ("Content") you have selected to download are licensed to your Library under an agreement with OverDrive, Inc. who is authorized to supply the Library with the Content by publishers and other copyright holders. Prior to accessing the Content, you are required to accept and agree to be bound to the Terms of Use as described below.
Please read the following carefully and click 'Yes' to accept to continue for access to the titles or 'No' to decline should you not agree.
- I agree to be bound by the applicable laws that apply to my use of the Content and the library download media service ("Service"). I acknowledge that the Content embodies the intellectual property of a third party and is protected by law. All rights, titles, and interest in the Content are reserved, and I do not acquire any ownership rights in the Content as a result of downloading Content.
- I will only use the Content for my own personal, non-commercial use. I will not, perform, sell, distribute, transmit, assign, sell, broadcast, rent, share, lend, modify, adapt, edit, sub-license, or otherwise transfer the Content.
- The license granted to me to use the Content is for a one-time limited right to borrow the Content for a specific, library designated, limited duration ("Lending Period"). I agree and acknowledge that at the end of the Lending Period all rights to access the Content expire and terminate.
- At the end of the Lending Period, I will delete and/or destroy any and all copies of the Content, including any copies that may have been transferred to, or created on portable devices, storage media, removable drives, CDs & DVDs.
- I acknowledge that the library is providing access to the Content as a service to me so long as I and other users of this Service abide by these Terms of Use. In the event the library, OverDrive, or rights holder determine you or other users of this Service are violating these Terms of Use, the Library and/or OverDrive reserves the right to suspend or terminate your ability to use the Service and to borrow Content.
Click 'Yes' to indicate that you agree to these terms and to proceed to checkout.
Click 'No' to indicate that you do not agree to these terms. You will be directed back to your bookbag where you can remove MP3 title(s) should you want to check out titles in other formats.
The legal limits are clear, but I still wanted to know what was possible. My patrons ask me these things, and I think an informed answer is better than "I dunno, I never tried it."
So I downloaded the rights and the mp3 files for the book Little Brother, by Cory Doctorow, and waited our two week loan period. After the two weeks, when I tried to open the book through the Overdrive Media Console (OMC), the software deleted any obvious trace of the mp3 files from my computer. If I wanted to listen to the book again, I would have to download all 327MB of it again - which is no small time investment.
I was surprised that the OMC deleted it, but decided that since the software knew the path to the mp3 files, it might be the only weapon Overdrive has to enforce their terms of service.
So I downloaded the book again. This time, in addition to opening the book through the Media Console, I also copied the mp3 files into a different directory, and saved one to a flash drive. I wanted to see if Overdrive would seek-and-destroy any and all copies of the files, or just the copies it knew about in the one designated directory.
After another two weeks, I open the files in the OMC, and they were duly deleted. However, when I browsed to the files in the alternate directory with Winamp, those played just fine. The files on the flash drive played, too (I don't have an iPod so I couldn't test what happens there - but my guess is nothing).
This reaffirms that these are in fact true mp3 files. Overdrive is therefore relying on the delete-what-we-can-reach tactic, and that Overdrive users have agreed to the terms of service and so are obligated to delete anything the OMC can't reach.
So once again, the Unshelved strip is in effect - in the world of publishers and copyright, there is a stark difference between possible and legal.
Tags: audio, audiobook, audiobooks, book, Books, crack, cracking, hack, hacking, hacks, ipod, libraries, Library, mp3, overdrive, public, Technology, unshelved
Posted under Uncategorized | 4 Comments »
December 20th, 2008 Brian Herzog
When I started this blog, I never really expected anyone to read it. Even now, I know a few of my coworkers check in to see what I'm saying about them, but otherwise I'm surprised when someone from the library community notices what I say.
So I was doubly surprised to meet a patron who reads my blog (you know who you are).
Last week, a patron came in to ask me about the new iPod-friendly mp3 files now available to MVLC patrons through Overdrive. He had read my announcement(s) with interest, but was especially interested in this comment from Jeff:
...There is actually four different ways you can hack the drm to get permanent check-outs too.
The first thing I thought of was this Unshelved cartoon, and explained to the patron that although something may be technically possible, that doesn't make it legal. And that library staff cannot show people how to break the law.
He was disappointed, but usually people interested in hacking enjoy challenges, so I think he's going to try to figure out what Jeff was talking about on his own.
ps: For those keeping track of such things, I'm traveling to Ohio for the week of Christmas to see my family. I'll be back in the new year - see you then, and I hope you have a nice holiday.
Tags: audio, audiobook, audiobooks, book, Books, crack, cracking, hack, hacking, hacks, ipod, libraries, Library, mp3, overdrive, public, Reference Question, Technology, unshelved
Posted under Uncategorized | 5 Comments »